Infographic: APIs that Secretly Rule Your Life

Data and user information is the lifeblood of businesses in today’s market, and having the ability to collect and utilize that information is essential. Application program interfaces, or APIs, are used by companies and establishments to collect, organize, and analyze data on a daily basis. But what type of information is being collecting? In one word – everything. This includes political preference, social insurance number, Facebook likes, emails, reviews on Yelp, ecommerce, and much, much more. The data collected is then used by companies to learn about their customers (or target market) and create messaging that is custom tailored for each individual. Check out this infographic, provided by Who Is Hosting This?, to learn just how pervasive APIs are:

 

How do you feel about companies using your online information to promote their product or service? Is this a natural progression as we continue to move to a more virtual lifestyle? Let us know what you think by posting a comment below

5 Tips on Protecting Your Business from a DDoS Attack

An escalating number of businesses are falling victim to distributed denial of service, or DDoS, attacks. Compared to this period last year, there has been an 47% increase in the total number of DDoS strikes. The companies that take advantage of their attack experience by learning from it and educating their employees on cyber security go a long way. Getting hit by a DDoS attack can help uncover some vulnerabilities or mistakes that your IT department may not have previously been aware of. Combining your experiences with these 5 tips on protecting your business from a DDoS attack is the best way to help prevent future incidents.

1. Conduct an Assessment: Review your company’s current state of network security – whether you’ve experienced problems in the past or not. This will give you a sense of where your weak points are and allow you to reinforce them.
2. Know your Network: Reducing the cost and impact of an attack starts with early detection. The better you know your network, the easier it is for you to identify a problem. Having an understanding of the strengths and weaknesses of each network component will also give you a better understanding of what kind of assaults you can protect yourself from (such as a small attack originating from a single IP address) and if you need to outsource to help fill any security holes.
3. Implement General Rules to Help Mitigate Attacks: Some general rules to help defend against a DDoS attack include turning down all unnecessary ports and protocols, implement an IP blacklist, block invalid and malformed packets, and configure and harden network equipment.
4. Communicate with your ISP: In some instances, an attack can be so big that it completely saturates your bandwidth, making any other preventative tactics ineffective. Be sure to learn the procedures for getting your ISP to intervene if necessary. Work with your ISP to plan and practice for any possible large-scale attacks, and be sure to examine your Service Level Agreement (SLA) to learn your ISP’s options for defending against DDoS assaults.
5. Create an Action Plan: In the unfortunate even that your company suffers an attack, having an action plan in place can help you stay in control – because once an attack is occurring, it’s too late to decide what action to take and how to respond. Be sure to structure your plan by severity level, since your responder actions will vary depending on the impact of the attack.

DDoS attacks can happen to any business at any moment. It’s naive to think that your website is too small to attract the attention of hackers, especially since DDoS is a relatively easy attack to perform. Reducing the cost of an attack starts with preparation and early detection.

Click here to learn more about how to protect your company from cyber attacks.

Blog Author: Vanessa Hartung

Infographic: Cyber Crime 2013 – The Year of the Mega Breach

The year 2013 yielded record breaking data breaches and cyber crime numbers in the business community. Upon reviewing multiple reports generated by industry heavy hitters, like IBM and Symantec, we’ve created an infographic of some of their key findings.

 

Business will need to take an active role in securing their company and customer data in 2014. Poor protective measures are putting an increasing number of companies at risk and the potential implications of losing data is huge. Educating staff, improving malware solutions, and routinely backing up your data are some of the steps your company can take towards increasing security and preventing loss.

Blog/Infographic Author: Vanessa Hartung

 

Five of the Worst Cyber Attacks: Learning from Past Mistakes

As computer and Internet technologies continue to improve and evolve, so do the tactics and infiltration methods of cyber criminals. It’s critical for businesses of all shapes and sizes to ensure their network is always protected. Network security measures need to be updated and tested frequently in order to prevent the loss of any important company or customer data. If you’re business isn’t adequately protected from hackers, you could end up like one of the companies included in our list of some of the worst cyber-attacks.

1. Mafia Boy Attack on Commercial Websites: In 2000, a 15-year old Quebec boy hacked into multiple commercial websites and shut down their systems for hours. Some of the impacted sites included CNN, Dell, Amazon, Yahoo, and E-Bay. The only reason this “professional hacker” was caught is because he bragged about his achievements in an online chat room. It’s estimated that the juvenile hacker cost $1.2 billion in damages, proving to businesses everywhere that all it takes is one hacker to cripple their productivity and cut revenue.
2. Target Loses Credit Card Data: During the holiday season in 2013, Target Corp. was hit by cyber thieves who used a RAM scraper to grab encrypted data by capturing it as it travels though the live memory of a computer, or – in this case – a checkout point-of-sale system. An investigation of the attack revealed that the cyber criminals stole the personal information of approximately 70 million customers. It wasn’t until Internet security blogger, Brian Krebs, wrote about the incident on his website that Target publicly admitted to the data breach. This resulted in a double hit for Target customers – not only was their information compromised, but they weren’t aware of it until long after the incident had occurred, which resulted in some very disgruntled customers.
3. Epsilon Emails Hacked: The massive Marketing firm, best known for its big name clients – Best Buy and Chase, is estimated to have a potential loss of up to $4 billion after cyber criminals hacked into their database. The names and emails of millions of customers was stolen in March 2011, which could then be used to create more personalized and targeted phishing attacks. However, the biggest hit was felt by Epsilon – who had a client list of more than 2,200 global brands and handled more than 40 billion emails annually – as they struggled to keep the trust and business of their well-known clients.
4. Grocery Retailer Suffers 4 Month Long Breach: That’s right, for 4 months the upscale North American grocery chain experienced a security breach that resulted in the loss of approximately 4.2 million customers’ credit card details. Not only was the incident a black mark on the company’s public image, but it was a huge financial burden for the corporation. Cyber criminals gained access to the sensitive information by installing malware on the store servers, collecting the data from the winter of 2007 until the spring of 2008. It’s estimated that the costs incurred by the attack totaled $252 million.
5. PlayStation Network Loses Millions: In 2011, over 100 million customer accounts containing credit and debit card information were stolen by a group of hackers. The breach lasted 24 days, and the hackers were even able to log on while the company was trying to fix the problem – even though dedicated gamers weren’t able to log on. Experts are speculating that this may be the costliest cyber-attack ever, totaling an estimated $2 billion in damages. To make matters ever worse, British regulators fined Sony 250,000 pounds (approximately $396,000) for failing to prevent the attacks by not implementing adequate security. Britain’s Information Commissioner’s Office stated that the security measures in place at the time were “simply not good enough” and that there’s “no disguising that this is a business that should have known better”. So if you’re company isn’t making the time and effort to protect customer data – they’re sure to find out if your system is attacked. Good luck regaining your customer’s trust – and business – after a reveal like that.

Still haven’t convinced you that implementing a variety of security measures to protect your company and customer data is one of the highest priorities? Check out this quick video BuzzFeed created highlighting some more major cyber-attacks.

Not sure where to get started? Here an article on how to train your employees on cyber security – click here.

Blog Author: Vanessa Hartung

The Impact of the Heartbleed Bug on Business

The Heartbleed bug has swept across the nation, impacting a countless number of businesses and consumers. The bug is a vulnerability in OpenSSL, which is the name of a 1998 project that was started to encrypt websites and user information across the web. What started as a project committed to data encryption is now standard on 2/3 of all websites on the Internet. Without OpenSSL, our personal information submitted across every website we visit could land in the hands of cyber criminals. Ironically, the OpenSSL software that was designed to protect users contained a flaw that made it possible for hackers to trick a server into spewing out the data that was held in its memory.

When news of the Heartbleed struck, business scrambled to find out how many of their systems were using the vulnerable version of OpenSSL. While the big web companies, such as Google and Yahoo, were able to move fast to fix the problem – smaller e-commerce sites are struggling to “patch” the software quickly. As the larger sites close the door on the Heartbleed bug, hackers are turning their attention to any small and medium businesses that may not have the knowledge or manpower to update and protect their e-commerce sites accordingly.

However, regardless of the size of the business, if customers learn that a company’s system has been hacked and their personal information was compromised, legal issues could arise. Angered customers – and their lawyers – will look to hold businesses accountable for any personal data that lands in the hands of hackers. Businesses need to communicate with their customers to inform them what steps have – and will be – taken to fix the problem. That way, customers can update their passwords accordingly once a business has confirmed that their site is clean.

Many of the impacted sites are not just popular for personal usage, but are used every day by businesses of all sizes. Companies will need to follow the same steps as their customers and wait to receive confirmation from any frequently used websites that the issue has been resolved before changing their passwords. It’s also important to realize that other devices, such as Android smart phones and tablets, are vulnerable to the bug as well.

The Heartbleed bug ordeal is just another reminder of the security challenges companies are facing as more and more economic activity move online. According to eMarketer, an independent research organization, worldwide business-to-consumer e-commerce sales are likely to increase to $1.5 trillion this year. With money like that on the line, you can bet cyber criminals will be vigorously targeting businesses to try and get a piece of the pie. Companies need to take all necessary precautions to protect themselves and their customers.

To learn more about protecting your business, click here.

Blog Author: Vanessa Hartung

Your Fridge May Be Sending Out Spam – And Not the Canned Meat Kind

At the 2014 Consumer Electronics show, the Internet of Things and smart devices stole the spotlight. Tech heavyweights Samsung and LG unveiled their “Smart Home” devices, which consisted of household appliances that were able to communicate with the homeowner and each other. These M2M devices (machine to machine) are each assigned an IP address, allowing them to connect to the Internet and transfer data (or, in other words, talk to each other) over a network without the need for human interaction.

This technology provides businesses and consumers with an array of benefits, without a doubt. Consumers are able to save on time and money – now that they can switch their appliances to an energy saving mode remotely or text their fridge to find out if they need to buy milk at the store before arriving home. Businesses are able to collect endless amounts of information from their customers and their devices – such as maintenance requirements or customer food preferences. However, with both parties looking to utilize IoT as soon as possible, security measures have been overlooked.

Between December 23 and January 6th, several Internet-connected “smart” devices – including refrigerators – sent upwards of 750,000 malicious emails. This is believed to be the first cyber attack involving IoT, and likely won’t be the last. Many IoT devices are poorly protected and consumers aren’t able to detect or fix security breaches when they do occur. As more of these smart appliances “come online”, attackers are finding ways to exploit them for their own needs.

Additionally, following an M2M conference in Toronto, ON, the Director of Policy for Ontario’s privacy commissioner pointed out that these devices also hold a lot of data that will be personally identifiable. Organizations are being urged to think about the privacy of customer data before employing M2M and IoT devices. Recently, customer data was leaked by LG’s smart TV as it was collecting and transmitting personal information to the manufacturer because there was no encryption. In an even more bizarre circumstance, the signal transmitted from a wireless camera used to monitor the interior of a Canadian methadone clinic was being picked up by a back-up camera inside of a vehicle outside of the building.

It’s imperative for organizations and consumers to comprehend the security and privacy risks associated with M2M and IoT enabled devices. Consumers will need to ensure that they keep their software up-to-date, change all default passwords to something more secure, and place their IoT device behind a router. Meanwhile, organizations who manufacture these devices must incorporate any available security measures available to ensure their customer’s information and network stayed protected. The benefits of IoT devices far outweighs the concerns, but those concerns still need to be addressed before IoT can really take off.

To learn more about the Internet of Things, check out our previous blog post by clicking here.

Blog Author: Vanessa Hartung

 

Are You Too Worried About Cloud Security?

Should you wait, or push forward? Is it better to embrace the new technology, or to wait for it to be improved and refined? These are questions that come up again and again in virtually every part of the business world, but they seem particularly apt when it comes to the phenomenon that is cloud computing – the hottest IT trend in the world and a way for businesses of all sizes to gain huge performance advantages on smaller budgets.

On the surface, there isn’t much not to love about cloud computing. By moving your hardware and software to a remote location and accessing it via the web, you gain the ability to access real-time information from any web-enabled device… and all while taking advantage of those cost savings we already mentioned. A relatively sizable minority of small businesses is holding off on making the transition just yet, however, because they have concerns about cloud security.

Should you wait right alongside them? Or, is worrying too much about cloud security holding you back from making a decision that can help your company? As always, there isn’t a cut-and-dried answer to that question. While security breaches have been relatively rare, there have been some valid concerns when it comes to cloud security at some facilities, and with some vendors. However, those concerns shouldn’t be pressing enough to stop most organizations from making the switch.

To understand why, consider the basic model that most reputable cloud computing package providers employ to keep data safe. Generally speaking they do deter, prevent, correct, and detect – or do everything they can to scare thieves away, stop them from accessing data, limit the damage they can do, and then fix any known security issues quickly. To get a sense of how that actually works in the real world, consider some of the major safeguards that cloud computing providers using Canadian data centres put into place to protect the flow and integrity of client data:

Maximum strength encryption: In the best Canadian colocation data centres, high-level encryption is used for the transmission of files to and from client workstations. Although maximum strength encryption can theoretically be broken, cyber criminals almost always look for smaller and easier targets that are more vulnerable.

Comprehensive antivirus scanning: It isn’t unusual for a single virus, introduced by the wrong download or email attachment, to infect multiple computers within the same small business network quickly. At a state-of-the-art cloud computing facility, however, continuous antivirus scans mean that bits of problematic code are identified and quarantined very quickly.

On-site protection: In a lot of small businesses, servers, backup hard drives, and other pieces of hardware containing sensitive data are often left completely unguarded and out in the open. At a cloud facility, trained security personnel are on the premises around the clock – as are engineers and systems experts to monitor the hardware and flow of information.

Redundancy systems: When you lose an important piece of hardware in your office or facility, it’s likely that the important files you need have disappeared forever. Because files stored in the cloud are continuously backed up, however, even a natural disaster won’t cause you to lose information like client records that you desperately need to keep your company going.

Environmental controls. You can’t find a better environment for cloud computing than the ones you’ll find in our Canadian data centres, where continuous power backups, strict climate control, and a lack of natural disasters all work in our favor. Plus, we have a very stable government with strict privacy laws, so you don’t have to worry that any organization is going to have an unauthorized look through your company’s records.

When it comes down to it, we can’t guarantee beyond every doubt that a security breach will never take place at our cloud facility, or at any of the others across the country. What we can promise you, however, is that the steps we take to safeguard important information are much, much stronger than the ones you would find in most corporate offices… and certainly at a higher level than the ones most small businesses use.

The issue, then, isn’t whether cloud security should be a concern, but whether you can really believe that you’re safer without cloud computing in a Canadian data centre.

To learn more about cloud computing, check out our white paper Cutting IT Costs with Cloud Computing.

How to Train Employees on Company Cyber Security

Guest Author: This week’s blog was provided to us by Theo Schmidt, an independent blogger. Schmidt has an interest in computer science and engineering, which he uses to fuel his blogging. You can learn more about him on Google+.

No matter your line of work, company cyber security is something that should weigh heavily on your mind. Whether it be phishing scams or malware attacks, it is important to ensure that employees know what they are expected to do to prevent and avoid security breaches.

Suspicious Links

It is important that employees realize that the sites they visit can negatively affect the entire company. Typically these sites are not sought after but are brought on via email or links from other sites.

A company can help to prevent visitation to harmful websites by installing a powerful firewall protection. However, employees are at the front lines of defense. They must be trained and reminded that bad links can be just as dangerous as anything else on the web.

Unknown Emails

Scammers and phishers know what they’re doing when they try to trick people into giving up information. Sometimes an email is an obvious scam—a prince in Nairobi is asking for monetary donations or something equally ridiculous. Other emails can be a bit trickier though.

Email scammers are getting smarter and better at making the email address look legitimate. Often they will attach a file that they want downloaded disguised as a form or important information. However, once the file is downloaded the company’s security, data, contacts, and even financial information can be at risk.

Employees should exercise extreme caution when downloading any file, whether they think they recognize it or not. In general, it is smarter to keep computers as clean as possible and storing only work-related materials.

Logging In

When employees are asked to log in to sites they are not familiar with using their company login information, plenty of information is automatically given up to the intruding site. From there it is possible that they will be asked to download files, give up more information, or the site will simply have the password and username on hand for whatever they wish to do.

Logging in to an untrustworthy site is an easy albeit foolish mistake to make. It is important to make employees aware of the risks at hand. Companies can still protect themselves with encryption software and training to help employees spot these scamming sites.

Sharing Information

Additionally, it is key that employees recognize the importance of keeping the company’s data safe and secure. This means that not only should they do what they can to keep it safe inside, they won’t let it be leaked outside as well.

Information can be leaked via blogs, emails, or anything else. Employees should keep passwords secret and frequently change them. Passwords should never be repeated on multiple sites.

Enforce Change

Keeping employees up on security procedures is a process. Employees won’t change their behavior overnight nor will they decide to care about the company’s security on a whim. It must be made a part of their everyday job expectations to work against cyber threats. Just like any other positive behavior in employees, it should be recognized and reinforced.

In the war against scammers, human error is the bigger problem. According to Comptia, 55% of breaches are due to mistakes made by employees. It can be difficult to spot potential problems because so often fake websites, emails, and links look real. However, the flaws are in the details.

Companies that store important data like electronic medical records, financial records, and other personal information are at a high risk of intrusion. Employees must be trained to diligently watch for signs of a breach in cyber security. So long as they know what to be aware of and what threat they themselves could pose, they can help the company by becoming part of the defense and less of a liability.

For more information on data protection, check out the Practice Studio website.

To learn about storing company information in a secure location, click here.

Email Security: Google Gmail Users Shouldn’t Expect Privacy

This week, the California-based advocacy group, Consumer Watchdog, has exposed the details of their class-action lawsuit against Google for data mining. The lawsuit, which was filed last month, reveals that Google scans Gmail emails for keywords as a way to target specific ads to each user. Several of the plaintiffs in this case are Gmail users who feel that their privacy has been violated. However, a brief filed by attorneys for Google says that Gmail users should assume that any correspondence that’s being passed through Google’s servers can be accessed and used for a variety of options, such as targeted advertising.

The plaintiffs claim that an illegal interception occurs each time an email sent to or from a Gmail account is scanned. Google counters that claim by stating that the automated scanning is outlined in the Terms of Service agreement, which all users must accept in order to use the Gmail service. However, it is important to note that it is not only registered Gmail account users who are susceptible to data mining – any user who sends an email to a Gmail address is vulnerable as well. To address the plaintiffs who are complaining about their emails to Gmail users being scanned and processed, Google’s lawyers have stated:

“While the non-Gmail Plaintiffs are not bound to Google’s contractual terms, they nonetheless impliedly consent to Google’s practices by virtue of the fact that all users of email must necessarily expect that their emails will be subject to automated processing.

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s [email] provider in the course of delivery. Indeed, a person has no legitimate expectation of privacy in information he voluntarily turns over to their parties.”

To put the above statement into perspective, please consider the following analogy provided by John M. Simpson, Consumer Watchdog’s Privacy Project Director: Sending an email is like giving a letter to the Post Office. A person expects that the letter will be delivered based on the address written on the envelope – not that the mail carrier will open the letter and read it before dropping it off at the specified address. Similarly when someone sends an email, the expectation is that the email will be delivered to the intended recipient – not that Google will intercept and read the email before it arrives at the stated email address.

So what does all this mean for your business? It’s important that your company is aware that any information being sent to customers who have a Gmail account is likely to be intercepted. In order to protect company and customer information, Gmail (or any similar type of web-based email service) should be avoided where possible, especially if the email communication holds sensitive or valuable data.

Additionally, web-based email services can be very appealing to start-up companies looking to save money. However, it may end up costing your business in the long run if confidential information is leaked. Although tempting, businesses that are looking to save on costs should consider alternative ways to save on costs instead of registering for a free web-based email service. Even Google has admitted that their service is free for a reason, stating that it would be “virtually impossible” to offer this type of free service without the financial support of advertisers.

It is highly recommended that businesses employ a secure email service, one that is able to provide end-to-end encryption and doesn’t store emails in an unencrypted form. To add an extra layer of security, we also suggest using an Internet Service Provider that is exclusive to businesses (such as TeraGo Networks). Business-only providers have a better understanding of the needs of companies, including the need to keep all information secure.

To learn more about the lawsuit against Google, click here.

If you would like to learn more about TeraGo Networks, click here.

Blog Author: Vanessa Hartung